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Abstract;  A recent  trend  in  cryptographic  systems  is  to 
base  their  encryption/decryption  functions  on  NP-complete 
problems,  and  in  particular  on  the  knapsack  problem.  To 
analyze  the  security  of  these  systems,  we  need  a complexity 
theory  which  is  less  worst-case  oriented  and  which  takes  into 
account  the  extra  conditions  imposed  on  the  problems  to 
make  them  cryptographically  useful.  In  this  paper  we  con- 
sider the  two  classes  of  one-to-one  and  onto  knapsack 
systems,  analyze  the  complexity  of  recognizing  them  and  of 
solving  their  instances,  introduce  a new  complexity  measure 
(median  complexity),  and  show  that  this  complexity  is  in- 
versely proportional  to  the  density  of  the  knapsack  system. 
The  tradeoff  result  is  based  on  a fast  probabilistic  knap- 
sack solving  algorithm  which  is  applicable  only  to  one-to- 
one  systems,  and  it  indicates  that  knapsack-based  crypto- 
graphic systems  in  which  one  can  both  encrypt  and  sign 
messages  are  relatively  insecure. 
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1 . Introduction 

Cryptography,  which  has  always  been  considered  an  esoteric  mixture  of 
art  and  science,  is  rapidly  gaining  respectability  as  an  important  branch 
of  complexity  theory.  One  of  the  major  reasons  for  this  change  is  our 
increasing  ability  to  prove  (or  at  least  to  give  strong  supporting  evidence) 
that  certain  computational  tasks  are  inherently  difficult.  Such  results 
may  be  discouraging  news  for  engineers,  but  in  the  context  of  cryptosystems 

I 

they  can  make  the  construction  of  unbreakable  super-codes  possible.  In  j 

fact,  cryptosystems  may  turn  out  to  be  the  most  important  positive  applica-  | 

tion  of  the  theory  of  lower  bounds,  since  they  seem  to  be  the  only  case  in 
which  impossibly  difficult  computations  are  desirable. 

In  spite  of  this  close  relationship,  the  tools  of  standard  complexity 
theory  are  not  very  well  suited  to  the  needs  of  cryptography.  Even  when 
we  solve  the  major  open  problems  (such  as  the  Pj^NP  conjecture)  we  cannot 
claim  that  cryptosystems  based  on  difficult  (e.g.,  NP-complete)  problems  j 

are  secure,  for  the  following  reasons:  | 

(i)  The  standard  measures  of  worst-case  and  average-case  complexities  are 
completely  inadequate.  The  existence  of  some  heuristic  technique 

which  solves  a positive  fraction  (say,  1/1000)  of  the  instances  in  ! 

polynomial  time  is  enough  to  make  the  cryptosystem  useless,  even  if  ^ 

the  average  case  complexity  of  the  heuristic  is  exponential  or  if  it  > 

fails  to  work  correctly  on  the  vast  majority  of  the  cases.  What  we  f' 

need  is  a theory  of  "amost  everywhere  difficult"  computational  tasks.  ^ f 

(11)  Complexity  theory  usually  considers  the  difficulty  of  a single  Isolated 
Instance  of  a computational  task.  In  cryptanalysis,  we  are  often 
given  a big  collection  of  related  problems  (e.g.,  many  cyphertexts  1 
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generated  by  a corrmon  cryptosystem  and  key)  to  which  we  can  apply  ^ 

statistical  methods,  analysis  of  repeated  patterns,  etc.  It  is  not  ^ 

clear  how  to  include  such  factors  in  the  complexity-theoretic  j 

I 

analysis  of  a cryptosystem.  j 

(iii)  One  cannot  take  an  arbitrary  difficult  computational  task  and  transform 
it  into  a cryptosystem.  In  order  to  be  useful  in  secret-communication 
systems,  the  encoding  functions  must  be  one-to-one,  and  in  order  to 
be  useful  in  certain  signature  generating  systems,  the  encoding  functions 
must  be  onto  (or  almost  onto  - see  below).  These  extra  conditions 
(which  are  not  usually  dealt  with  in  complexity  theory)  can  have  a 

I 

major  effect  on  the  security  of  the  cryptosystem. 

In  order  to  handle  these  problems,  a new  theory  of  cryptocomplexity  j 

must  be  developed,  with  a particular  emphasis  on  the  cryptocomplexity  of 
NP-complete  problems.  In  this  paper  we  consider  the  special  case  of  the 
knapsack  problem  (upon  which  many  of  the  newer  cryptosystems  are  based)  ' 

in  order  to  get  sharper  results,  but  we  believe  that  some  of  the  ideas  and 
results  can  be  extended  to  other  NP-complete  problems  as  well.  An  excellent  , 

survey  of  the  problems  and  achievemen:s  in  this  area  can  be  found  in  Lempel  [5]. 

i 

2.  Definitions  , ^ 

A cryptosystem  is  a collection  of  pairs  consisting  of  an  encryption 
function  (which  maps  cleartexts  into  cyphertexts)  and  a decryption  1 

function  D„  (which  maps  cyphertexts  back  to  cleartexts),  such  that 

^ .(I 

0|^(E|^(M))  ■ M for  every  cleartext  M and  key  K (this  implies  that  E|^  must 
be  one-to-one).  In  classic  cryptosystems,  the  two  comnuni eating  parties 
share  a common  pair  of  encryption/decryption  functions  which  enable  them 
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to  coiDmiinlcate  over  insecure  channels.  In  public-key  cryptosystems  [l],each 
user  publicly  reveals  his  encryption  function  but  keeps  his  decryption 
function  secret.  When  user  A wants  to  send  a message  M to  user  B,  he  can 
compute  Eg(M)  quickly,  but  only  B can  decrypt  it  back  to  M.  If  in 
addition  E|^(D|^(M))  = M for  every  message  M and  key  K (i.e.,  if  E|^  and  D|^ 
are  inverse  permutations  over  the  same  message  space)  then  A can  sign 
a message  M by  computing  Dy^(M);  this  signature  can  be  easily  authenticated 
by  applying  the  publicly  known  to  it,  but  it  cannot  be  forged  on 
other  messages. 

In  many  cryptosystems,  it  is  difficult  to  make  the  function  E^  onto, 
and  thus  not  all  the  possible  messages  can  be  signed.  The  density  of  a 
cryptosystem  is  defined  as  the  fraction  of  the  signable  messages  among  all 
the  messages.  In  high-density  cryptosystems  this  ratio  is  close  to  one, 
and  thus  messages  can  be  signed  either  directly  or  after  a slight  perturba- 
tion of  some  unimportant  bits.  In  low-density  cryptosystems,  too  many  trial 
perturbations  are  necessary  and  signatures  become  impractical. 

Public-key  cryptosystems  based  on  NP-complete  problems  use  the 
asymmetric  relation  between  problems  and  their  solutions.  The  easy 
encryption  functions  assign  to  each  solution  (=  cleartext)  some  problem 
(=  cyphertext)  for  which  it  is  the  unique  solution,  and  the  difficult 
decryption  functions  solve  these  problems  in  order  to  recover  the  original 
cleartext.  The  most  popular  of  these  cryptosystems  use  the  knapsack 
problem,  for  which  we  give  a precise  definition  below. 

A knapsack  system  K is  a finite  sequence  of  natural  numbers  (generators) 
a^,...,a^.  A knapsack  problem  (or  instance)  is  a knapsack  system  + a 
target  value  b;  the  problem  is  to  determine  if  b has  a 0-1  valued 
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representation  Ci....,c^^  such  that  c^a^  = b (in  a modular  knapsack 
problem,  this  equation  should  hold  modulo  a given  modulus  m).  The  knapsack 
problem  is  known  to  be  NP-complete  both  in  its  modular  and  in  its  non- 
modular  versions.  The  cleartexts  in  a knapsack  system  K are  the  represen- 
tations c^,...,c^  while  the  cyphertexts  are  the  corresponding  target  values  b. 
The  system  is  one-to-one  if  every  target  value  has  at  most  one  representation 
in  K,  and  onto  if  every  possible  target  value  has  at  least  one  representation 

in  K (the  possible  target  values  in  the  non-modular  case  are  all  the 

n 

integers  in  the  interval  [0,  E a.],  and  in  the  modular  case  all  the  integers 

1=1  ' 

in  the  interval  [0,m)). 

Knapsack  systems  seem  to  be  an  ideal  source  for  encryption  functions, 
since  they  are  numeric  (and  thus  easy  to  implement  electronically),  fast 
(need  n-1  additions  and  possibly  one  modular  reduction),  and  probably 
uniformly  hard  to  invert  (in  the  sense  that  there  are  extremely  few  knapsack 
systems  for  which  fast  inversion  algorithms  or  heuristics  are  known). 

3.  Characterization  of  one-to-one  or  onto  knapsack  systems 

As  described  in  the  introduction,  the  cryptographically  interesting 
knapsack  systems  are  those  which  are  one-to-one  or  onto.  In  this  section  we 
consider  the  problem  of  characterizing  these  two  sets  of  knapsack  systems. 

From  the  probabilistic  point  of  view,  we  have: 

Theorem  1 : A random  modular  knapsack  system  with  n generators  and  modulus  m 
is  likely  to  be  one-to-one  when  n < ^ log2m  and  non  one-to-one  otherwise. 
Proof  (Sketch):  For  randomly  chosen  modular  knapsack  systems,  the  2*’ 
target  values  corresponding  to  the  2*^  possible  representations  are 
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distributed  very  uniformly  (with  possible  repetitions)  in  the  [0,m) 
interval.  When  successive  representations  are  enumerated  (e.g.,  in 
lexicographic  order  on  the  n-bit  sequences)  and  their  corresponding 
target  values  are  marked  on  the  interval,  the  first  repeated  marking 
of  a point  is  likely  to  occur  around  the  M stage  (this  is  a variant 
of  the  birthday  problem  in  probability  theory  - see  [2]).  Thus  if 
2*^  < vin  a repeated  marking  is  not  likely  to  occur,  while  if  2*^  > t/m 
it  is.  Interpreting  a repeated  marking  as  a knapsack  system  which  is 
not  one-to-one  and  taking  binary  logarithms  of  these  inequalities 
give  the  desired  result.  Q.E.D. 


Theorem  2;  A random  modular  knapsack  system  with  n generators  and  modulus 
m is  likely  to  be  onto  when  n > loq2m+ log2log2m-  log2log2e  and 
non-onto  otherwise. 

Proof  (Sketch):  Using  the  random  marking  paradigm  again,  we  would  like  to 
know  how  many  points  should  be  marked  at  random  (with  possible  repetitions) 
on  the  [0,m)  interval  before  all  the  points  are  likely  to  get  marked  at 
least  once.  The  probability  that  a particular  point  remains  unmarked 
after  one  marking  stage  is  1 -1/m,  and  after  2*^  marking  stages  it  is 


m,n 


(1  - 1/m)' 


The  expected  number  of  unmarked  points  at  the  end  of  the  marking 

process  is  m*P^  ^ , and  thus  the  knapsack  system  is  likely  to  be  onto 

when  m'P„  „ < 1 and  non-onto  when  m’P„  „ > To  find  an  explicit 
m,n  m,n 

relation  between  m and  n.  we  evaluate 


1 2'' 

m*P„  „ = m*(l  - -)  = m* 

m,n  m 


[(1-1)"']^"^"% 


m*e 


-2'^/m 
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Taking  repeated  logarithms,  we  get  j 

i 

n ! 

log2m  = (2  /m)log2e 

i 

and  then  j 

I 

i 

log2log2m  = n - log2m + log2log2e  , 

which,  after  rearranging  the  terms,  gives  the  desired  result.  Q.E.D.  i 

I 

Example:  A 200  element  modular  knapsack  is  likely  to  be  one-to-one  when  j 

its  modulus  and  generators  are  over  400  bits  long;  it  is  likely  to  be  I 

onto  when  its  modulus  and  generators  are  less  than  192  bits  long. 

These  results  show  that  the  expected  complexity  of  solving  instances 
of  a random  knapsack  system  with  n generators  which  are  k bits  long  is  at 
most  exponential  in  min(n,k),  and  thus  systems  in  which  n and  k are  very  | 

different  should  be  avoided.  The  reason  is  that  if  n » k,  we  can  t 

eliminate  all  but  0(k+logk)  of  the  n generators  and  still  expect  to  I 

t ■ 

be  able  to  represent  every  target  value;  if  k » n,  we  can  consider  just  ^ 

the  2n  lowermost  bits  in  the  generators  and  still  expect  each  represent-  f 

j 

able  target  value  to  have  only  its  original  representation.  ; 

Although  these  theorems  give  us  some  insight  into  the  average-case 
behavior  of  knapsack  systems,  they  obviously  do  not  enable  us  to  decide  ■■  , 

C r 

whether  a particular  knapsack  system  is  one-to-one,  or  onto.  The  difficulty  | I 

< ! 

of  these  decision  problems  is  considered  in  the  next  group  of  results:  J 


( 

i 
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Theorem  3:  Deciding  whether  a given  knapsack  system  is  one-to-one  is 
co-NP  complete. 

Proof;  The  decision  problem  is  clearly  in  co-NP,  since  there  is  always 
a short  proof  that  a given  system  is  not  one-to-one  (namely,  the  two 
representations  involved). 

To  show  completeness,  we  reduce  the  partition  problem  to  the 

non-one-to-one  problem.  The  partition  problem  (which  is  NP-complete  - 

r - . n 

see  [4])  is  to  decide  whether  the  equation  Z c.a.  = 0 has  a solution 

i-1  ' ' 

in  which  c^  e {-1,+1}  for  all  i. 


Lemma  4:  A knapsack  system  a^.  ,...,a^  is  not  one-to-one  if  and  only  if  the 
equation  l c a.  = 0 has  a non-trivial  solution  in  which  c.  e {-1,0,+1} 

i=l  1 1 I 

for  all  i . 

Proof:  If  the  knapsack  system  is  not  one-to-one,  then  some  target  value  b 
has  two  different  representations  cj,...,c^  and  c^',...,c^: 

I • il,  'i'-t  = '>• 

in  which  each  c^  = cl  - cV  is  -1,  0 or  +1,  and  at  least  one  of  the  c^ 
is  not  0. 

Conversely,  if  the  equation  has  a non-trivial  solution  c^,...,c^. 
let  us  define 


c ' - 


1 if  c.  = 1 
0 otherwise 


cV  = 


1 if  c^  = -1 
0 otherwise 


It  is  easy  to  see  that  c.  = cl  - cV  for  all  i,  and  thus  the  equation 
c^a^  = 0 implies 

J,  ' ,i,  '1'^ 


-8- 


which  gives  two  different  representations  for  the  coirmon  value  of 
these  terms.  Q.E.D. 


Proof  of  Theorem  3 (continued):  Given  a partition  problem  a^,,..,a|^,  we 

would  like  to  construct  a knapsack  system  ap...,a^  in  such  a way  that 

k n , 

.Z,  c-a.  = 0 has  a solution  with  c^  e {-1,+1}  iff  Z c,.a!  = 0 has  a 
1=1  1 1 1 1=1  1 1 

non-trivial  solution  with  c^  e {-1,0,+!}.  The  n = 2k  - 1 numbers  a^ 
are  defined  as  follows: 


2^*^*a.  + 2^’ 

1 < i < k - 1 

3k  3i 

1 i = l 

i = k 

2.23(i-k) 

k + 1 < i < 2k  - 1 

The  easiest  way  to  understand  this  reduction  is  to  consider  the  numbers 
al  as  bit  strings.  The  bit  strings  of  numbers  a^  in  the  first  group  are 
composed  of  prefixes  (into  which  the  bit  strings  of  the  original  a^  are 
left-shifted)  plus  3k-bit  suffixes  (in  which  single  characteristic  bits 
are  turned  on).  The  number  aj^  is  similarly  defined,  except  that  all 
the  characteristic  bits  of  the  previous  k-1  numbers  are  turned  on  in 
its  suffix.  Finally,  the  numbers  al^j^  in  the  last  group  have  empty 
prefixes,  and  their  suffixes  are  (numerically)  twice  as  big  as  those 
of  the  corresponding  aj  numbers. 

To  show  that  a !,..., a^i^  1 has  the  desired  properties,  assume  that 
^Z^c^a^  = 0 has  a solution  with  c^  e {-1,+1}.  We  define  the  coefficients 
cj  in  the  following  way: 


if  i < k 


if  i > k and  c._,^  t c,^ 

if  i > k and  = Cj^  = +1 

if  i > k arid  " ‘'k  ” 


To  show  that  c!a!  = 0,  we  consider  separately  the  prefix  and 

suffix  regions  in  this  equation.  The  prefix  parts  are  not  empty  only 

in  aj,...,aj^.  Since  they  are  equal  to  a-j aj^  and  the  coefficients 

c^,...,cj^  are  equal  to  Ci,...,C|^,  the  prefix  regions  in  the  equation 

sum  up  to  zero  by  assumption.  In  the  suffix  parts,  the  i group  of 

3 successive  bits  is  not  empty  only  in  a^  (where  it  is  001),  in 

aj^  (where  it  is  001)  and  in  a.^j^  (where  it  is  010);  our  choice  of  cl, 

c!  and  cl.,  makes  sure  that  all  these  3-bit  groups  of  bits  add  up  to 
^ 2k-l 

zero,  and  thus  the  suffixes  as  a whole  add  up  to  zero  in  z clal. 

i=l  ' ' 

To  show  the  converse,  let  » • • • be  any  non-trivial  solution 

2k-l 

of  Z clal  = 0,  with  cl  e {-1,0, +1).  Taking  c.  = d for  i = l,...,k 
1=1  1 1 1 11 

and  considering  the  prefix  parts  of  these  equations,  it  is  easy  to  see 
that  .1  c^a.  = 0.  What  remains  to  be  done  is  to  show  that  this 
solution  is  legal,  i.e.,  that  none  of  the  c.  is  0. 

Since  the  maximum  summed  value  in  each  group  of  3 successive  bits 
in  the  suffix  is  4 (in  binary  001  + 001  + 010=  100),  there  can  be  no  carry 
from  one  group  to  the  next,  and  thus  each  group  must  sum  up  to  zero 
independently.  The  only  coefficients  (cj,  Cj^,  which  can  make 

the  groups  001  in  a^,  001  in  aj^  and  010  in  al^j^  sum  up  to  zero  are 
(0,0,0),  (+1,+1,-1),  (-1,-1, +1),  (+1,-1,0)  and  (-1,+1,0).  For  different 
values  of  i,  different  coefficient  triplets  can  be  chosen  from  this  set, 
provided  that  the  common  cj^  entries  get  consistent  values  in  all  the  triplets. 
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Since  cj , . . . 1 is  non-trivial,  there  is  at  least  one  i for  which  | 

(cl  ) f (0,0,0),  and  thus  C|^  f 0,  which  implies  that  cj  ^ 0 I 

( 

for  all  1 1 i < k.  Q.E.D. 

! 

Corollary  5;  Deciding  whether  a given  modular  knapsack  system  is  one-to-one 
is  co-NP  complete. 

Proof:  When  m > a^  the  modulus  is  irrelevant,  since  no  modular  reductions 
can  ever  take  place.  Q.E.D. 

The  situation  with  respect  to  the  onto  property  is  quite  different:  i 

! 

Theorem  6:  Deciding  whether  a given  knapsack  system  is  onto  is  doable  in  i 

I 

polynomial  time.  i 

n 

Proof:  We  show  by  induction  on  n that  the  whole  interval  FO,  Z a.l  is 

i=l  1 ; 

representable  in  the  knapsack  system  ai,...,a^  (in  which  the  a^  are  ! 

j-1  ! 

arranged  in  non-decreasing  order)  iff  a,-<l  + Z a,,  for  all  l<j<n 

J-  i=l  1 --  - 

(this  condition  is  clearly  decidable  in  polynomial  time).  It  is  true  for 

any  single  element  knapsack  system  since  [0,ai]  is  representable  iff  ai^l.  ' 

Let  a,,...,a^^,  be  an  n+1  element  knapsack  system  in  which  I 

j-1  n ' 

a.  < 1 + .z  a.  for  all  1 < j < n.  If  a .,  > 1 + Z a.  = b,  then  the  , > 

J — 1=1  1 — — n+i  i=l  1 . I 

target  value  b cannot  be  represented  although  it  is  in  the  interval.  ! p 

n+1  : f 

On  the  other  hand,  i ^ Vi  then  every  target  value  in  tO,.Z  a^]  ^ i 

i-1  ^ I 

is  either  in  the  subinterval  [0,b-l]  (where  it  is  representable  with  | 

c^^^  = 0 by  the  induction  hypothesis)  or  in  the  subinterval  ' 

a^^^^  + b-l]  (where  it  is  representable  with  c^^^  = 1).  Note  that  the 

two  subintervals  may  overlap,  and  thus  some  target  values  may  have 

representations  of  both  forms.  Q.E.D.  | 
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The  complexity  of  the  modular  onto  decision  problem  is  still  open. 

No  simple  characterization  was  found,  and  in  fact  it  is  not  even  clear 
whether  the  problem  is  in  NP  union  co-NP.  We  conjecture  that  the  problem 
is  very  difficult,  perhaps  even  u^-complete  (it  is  in  ^2  since  it  has  the 
form  "for  all  target  values,  there  exists  a representation"  - see  [11] 
for  more  details). 

These  results  show  that  we  cannot  effectively  characterize  all  the 
cryptograph! cal ly-useful  knapsack  systems.  All  we  can  hope  for  is  to 
characterize  certain  subsets  of  them,  such  as  the  Merkle-Hellman  [6  ] 
and  the  Graham-Shamir  [loj  one-to-one  knapsack  systems  and  the  onto 
knapsack  systems  described  in  [9]. 

An  interesting  open  problem  is  whether  knapsack  problems  remain  NP- 
complete  when  restricted  to  knapsack  systems  which  are  one-to-one.  The 
same  question  can  be  asked  about  the  complexity  of  other  similarly 
restricted  NP-complete  problems  (propositional  formulas  with  at  most  one 
satisfying  model,  graphs  with  at  most  one  hamiltonian  cycle,  etc.).  As  far 
as  we  know,  none  of  these  problems  have  been  shown  to  be  either  NP-complete 
or  polynomial ly  solvable. 


4.  Properties  of  one-to-one  knapsack  systems 


A basic  property  of  one-to-one  knapsack  systems,  which  will  be  used 
in  the  sequel , is: 

Theorem  7:  Let  ap...,a^  be  a one-to-one  (modular  or  non-modular)  knapsack 
system,  let  i be  an  arbitrary  index  between  1 and  n,  and  let  b and  b + a^ 
be  two  target  values  whose  representations  (if  they  exist)  are  denoted 
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by  Cp...,c^  and  respectively.  Then; 

(i)  If  both  b and  b + a^.  are  representable,  then  = 1 if  and  only 
if  cj  = 0. 

(ii)  If  b is  representable  but  b + a^  is  not,  then  = 1. 

(iii)  If  b + a^  is  representable  but  b is  not,  then  cj  = 0. 

Proof:  (i)  If  = cl  = 0,  we  can  add  a^  to  the  representation  of  b 
(i.e.,  change  c^.  from  0 to  1)  in  order  to  get  a second  (and  different) 
representation  for  b+a^. . If  c^.  = cl  = 1 , we  can  subtract  a^.  from  the 
representation  of  b + a^  (i.e.,  change  cl  from  1 to  0)  in  order  to  get 
a second  (and  different)  representation  for  b.  Both  cases  clearly 
contradict  the  assumption  that  the  knapsack  system  is  one-to-one. 

(ii)  If  b had  a representation  in  which  c^  = 0,  then  by  changing 
c^  to  1 we  would  get  a representation  of  b + a^,  and  a contradiction. 

(iii)  If  b + a^.  had  a representation  in  which  cl  = 1,  then  by 
changing  c^  to  0 we  would  get  a representation  of  b. 

Q.E.D. 

This  theorem  shows  that  in  one-to-one  knapsack  systems,  the  sequence 
of  c^.  values  in  the  representations  of  successive  multiples  of  some  fixed 
generator  a^.  (0*a.,  l*a^,  2*a^,  ...)  is  extremely  uniform.  Denoting  by  ? 
the  undetermined  value  of  c^  when  the  multiple  is  unrepresentable,  a 
typical  sequence  is: 

01 01 01 ?01 01 ???01 01 01 01 « ?01 . . . . 

This  result  is  particularly  important  in  modular  systems,  since  the  set 
of  (modular)  multiples  of  a^  contains  all  the  possible  target  values 
whenever  a^  and  m are  relatively  prime. 


I 


We  now  turn  to  consider  some  transformations  which  can  be  applied 
to  knapsack  systems  without  changing  their  one-to-one  or  onto  character: 

Lemma  8:  If  ap...,a^  (m)  is  a one-to-one  (onto)  modular  knapsack  system  and 

d is  relatively  prime  to  m,  then  the  augmented  knapsack  system 

da^,...,da^  (m)  is  also  one-to-one  (onto). 

Proof:  Since  d is  relatively  prime  to  m,  it  has  a modular  inverse,  dd'^  =1 

(mod  m),  and  thus  ‘ 

n n _i 

Z C4(da.)  3 b (mod  m)  Z c,.a.  3 bd  (mod  m). 

i=l  '1  i=l  ’ ' 

Consequently,  the  number  of  representable  target  values  in  the  two 
systems  is  the  same,  and  multiple  representations  occur  in  one  system 
iff  they  occur  in  the  other  (with  target  values  b and  bd"\  respectively). 

Q.E.D. 


Lemma  9:  If  a^ a^  (m)  is  a one-to-one  (onto)  modular  knapsack  system,  then 

the  knapsack  system  obtained  by  replacing  any  subset  of  the  a^'s  by 
their  complements  m-a^  is  also  one-to-one  (onto). 

Proof : It  is  enough  to  show  that  a single  complementation  of  a^  to  m-a^ 
leaves  the  system  one-to-one  (onto) . If  b has  two  representations 
c^,...,c^  and  cj,...,C||^  in  the  new  system,  then 


ri  n 

b = Ci(m-ai)+  Z c^a^  3 c.J(m-ai)+  E cla.  (mod  m)  , 
I I ^^2  ' ' • ' i=2  ’ ' 


and  thus 


II  *• 

b + (c.|  + c| )a^  = cja^  + E c^a^  = c^a^  + ' 

i.e.,  c|,  Cg and  c^,  c^ c^^'  are  two  different  representations 

of  a conmon  target  value  in  the  old  system.  Similarly,  b can  be 


I 
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represented  in  the  new  system  iff  b + a^  can  be  represented  in  the  old 
system,  since 

n n 

b + a,  = E c .a . (mod  m)  b = (1  - c, )(m  - a, ) + Z c.a^  (mod  m)  . 

I i=l  1 1 I ' i=2  ' ' 

Q.E.D. 

We  end  this  section  with  the  following  technical  observation: 

Lemma  10:  If  a^,...,a^  (m)  is  a one-to-one  modular  knapsack  system  in 
which  u target  values  are  unrepresentable,  then  m = z'^  + u. 

Proof:  The  2*^  possible  representations  generate  z"  different  representable 
target  values;  all  the  other  m - 2*^  possible  target  values  are 
unrepresentable.  Q.E.D. 


Permutation  knapsack  systems 


The  ideal  knapsack  system  from  the  cryptographic  point  of  view  is  one  j 

which  is  both  one-to-one  and  onto  (i.e.,  a permutation).  While  each  one  of 
the  two  properties  is  believed  to  be  very  hard  to  check,  their  intersection 

I 

is  surprisingly  easy: 

Lemna  1 1 : The  knapsack  system  a^,...,a^  defines  a permutation  if  and  only 
if  (under  some  reordering)  each  a^  is  eactly  2^”^. 

Proof:  An  easy  extension  of  the  proof  of  Theorem  6. 

Theorem  12:  The  modular  knapsack  system  a^,...,a^(m)  defines  a permutation 
if  and  only  if  m = 2”  and  (under  some  reordering)  each  a^  has  the 
following  form:  n-i  arbitrary  leading  bits  followed  by  1 followed  by 
1 - 1 trailing  zeroes. 
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Proof:  By  Lemma  10,  m=2'^.  At  least  one  of  the  generators  (say,  a^)  must 
be  odd,  since  if  all  the  generators  (and  the  modulus)  were  even,  odd 
target  values  could  not  be  represented  in  the  system.  This  odd  generator 
is  relatively  prime  to  m,  and  thus  multiplying  all  the  generators  by 
a^^(mod  m)  creates  a new  normalized  knapsack  system  l,a2,.-..a^  (m) 
which  is  also  one-to-one  and  onto  by  Lemma  8. 

All  the  multiples  0*1,  1*1,  2*1,  3*1,  ...  of  the  first  generator 
are  representable,  and  thus  by  Theorem  7 the  coefficient  c^  alternates 
between  0 in  the  representations  of  even  numbers  and  1 in  the  representa- 
tions of  odd  numbers.  Since  the  generators  a^ have  trivial  repre- 

sentations of  the  form  0...010..,0,  they  must  all  be  even. 

The  proof  can  now  proceed  by  induction.  Since  the  generators,  the 
modulus  and  the  representable  numbers  are  all  even  in  the  subsystem 
a2,...,a^  (m),  we  can  divide  them  by  2.  Applying  the  characterization 
in  the  theorem  to  the  permutation  system  (m/2),  we  know 

that  each  aj/2  (2  £ i £ n)  ends  with  a 1 followed  by  i - 2 trailing 
zeroes,  and  thus  each  a^  ends  with  a 1 followed  by  i - 1 trailing  zeroes. 
Since  a^  = a^*aj  (mod  2*^)  and  a^  is  odd,  this  also  characterizes  the 
structure  of  the  original  generators  a^. 

The  other  direction  (showing  that  any  modular  knapsack  system 
with  this  structure  defines  a permutation)  is  left  for  the  reader  as  an 
easy  exercise.  Q.E.D. 

As  noted  by  many  researchers,  the  complexity  of  inverting  permutation 
encryption  functions  cannot  be  any  higher  than  A « NPflco-NP,  and  thus  it  is 
not  likely  to  be  NP-complete.  (The  uniqueness  of  the  solution  enables  us 
to  give  short  proofs  both  for  the  question  "is  there  a solution  satisfying 


I 

I 


I 

l 

I 


I 


-16- 


I 

I 

t 

I 

property  P"  and  to  its  converse  "do  all  the  solutions  satisfy  ~P".)  In  the  f 

special  case  of  knapsack-based  encryption  functions,  we  can  use  the 

I 

characterization  theorems  in  order  to  get  the  stronger  result:  ! 

i 

Corollary  13:  All  the  knapsack  problems  generated  by  (modular  or  non- 
modular)  permutation  knapsack  systems  are  polynomial ly  solvable. 

Proof:  In  the  non-modular  case,  there  is  only  one  permutation  knapsack 
system  of  each  size,  and  it  defines  an  identity  mapping.  In  the 
modular  case,  there  are  non- isomorphic  permutation  knapsack 

systems  of  size  n (they  differ  in  the  leading  bits  of  the  generators),  i 

but  their  structure  makes  it  easy  to  detenmine  successive  c^-'s  in  [ 

the  representation  of  each  b (c^  = 0 iff  b is  divisible  by  2,  C2  = 0 1 

iff  b-c^a^  is  divisible  by  4,  etc.).  Q.E.D.  j 

Thus,  unlike  the  Rivest-Shamir-Adleman  factorization  cryptosystems  ^ 

(see  [s]).  no  single  knapsack-based  cryptosystem  can  both  encode  and 

1 

sign  arbitrary  messages.  ■ 

j 

What  happens  when  the  onto  condition  is  allowed  to  have  a few  excep-  j 

tions?  An  illustrative  result  is:  ^ 

i . 

1 

I 

Theorem  14:  The  modular  knapsack  system  a^,...,a^  (m)  is  one-to-one,  and  | 

n *' 

onto  with  a single  exception  b^,  if  and  only  if  m * 2 +1  and  (under  ^ r 

some  reordering)  each  a^  is  either  a^»2^“^(mod  m)  or  m - a^*2^"^(mod  m).  I- 

Proof:  We  first  show  that  all  the  generators  a.  are  relatively  prime  to  j 

the  modulus  m*2”+l.  If  (a^,m)  > 1,  then  the  cyclic  sequence  of 

J* 

numbers  bp  + 1 + 0*a^ , bQ+ 1 1 ‘a^ , bp^  1 ♦ 2*a^ , ...  (mod  m)  contains  { 

fewer  than  m distinct  elements,  and  in  particular  it  does  not  contain  ‘ 

b-.  Consequently,  all  these  numbers  are  representable,  and  by  ’ I 

o I 

Theorem  7 the  c^  in  their  representations  alternate  between  0 and  1.  j 
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The  length  of  the  cycle  must  therefore  be  even,  but  this  contraaicts 

the  fact  that  this  length  must  also  be  a divisor  of  the  odd  modulus  m. 

We  can  now  multiply  the  generators  by  a^^  in  order  to  normalize 
the  knapsack  system  to  1 (">)•  Since  m is  odd,  exactly  one  of 

each  al,m-a!  pair  is  even  and  thus  by  Lemma  9 we  can  transform  this 
knapsack  system  to  l,a2,...,a||  (m)  in  which  all  the  generators  except 
the  first  are  even,  and  in  which  they  are  listed  in  non-decreasing 

order.  If  we  can  show  that  aV  = 2^"^  for  all  i,  we  get  the  desired 

characterization  of  the  original  knapsack  system  by  unwinding  the  two 
normalizing  transformations  we  applied  to  it. 

The  sequence  of  c-j  values  in  the  representations  of  m successive 
multiples  of  the  generator  1 has  the  following  form: 

0101...01?0101..,01. 

Consequently,  the  subsystem  a^.-.-.al^  represents  all  the  even  target 
values  in  the  range  [O.b^)  and  all  the  odd  target  values  in  the  range 
(b^.m).  Since  the  generators  a^.-.-.a^^  themselves  are  even,  they  are 
all  smaller  than  b„. 

If  there  is  any  odd  target  value  in  [0,m)  which  is  representable 
in  a2,...,a||  (m),  let  b^  be  the  smallest.  By  changing  some  c^  from 
1 to  0 in  the  representation  of  b.| , we  get  a representation  of  the 
smaller  odd  target  value  b^  - a^.  (modular  wraparound  cannot  occur  since 
a^  < bo  < bi)  — a contradiction.  Thus  a2,...,ao  can  represent  only 
even  target  values  in  [0,m)  and  bo  = m-1  = 2*^. 

If  (without  modular  reduction)  ^^2*i  — j 

that  bo  * < m and  b,  * bo  + aV  > m.  As  a sum  of  even  generators 

2 i=2  1 3 2 j - 

bg  (mod  m)  is  even,  but  b^  (mod  m)  (which  is  actually  t>2+aj  -m)  is  odd. 
This  contradicts  the  assumption  that  no  odd  number  in  the  interval 
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f 

[0,m)  can  be  represented  in  a^, . . . ,a^  (m). 

This  leaves  us  with  a one-to-one  knapsack  system  a^.-.-.a^  in 

which  all  the  even  numbers  are  representable  and  in  which  no  modular 

n ! 

reductions  can  ever  take  place  (since  Z a'.'  < m).  By  Lemma  11,  the  i 

i=2  1 

only  knapsack  system  having  this  property  is  aV  = 2^”  , 2 £ i n.  | 

Q.E.D. 

A similar  (but  somewhat  more  complicated)  characterization  was  found 
for  modular  one-to-one  knapsack  systems  which  are  onto  with  two  exceptions. 

We  haven't  carried  out  this  detailed  analysis  any  further,  but  we  conjecture  ' 

that  all  the  modular  one-to-one  knapsack  systems  with  sufficiently  high 

density  are  recognizable  in  polynomial  time,  and  that  all  their  associated  | 

knapsack  problems  are  solvable  in  polynomial  time.  The  characterization 
problem  is  likely  to  get  harder  and  harder  as  the  density  decreases,  since 
in  the  absence  of  the  density  condition  it  is  co-NP  complete. 

f 

I 

6.  A new  complexity  measure  for  cryptographic  systems  | 

As  described  in  the  introduction,  both  the  worst-case  and  the  average- 
case  complexity  measures  are  inadequate  in  the  context  of  cryptography, 
since  the  security  of  a cryptographic  system  depends  on  the  complexity  of 
the  easiest  (rather  than  the  most  difficult)  instances  of  the  underlying 
problem.  When  a cryptanalyst  tries  to  decode  a batch  of  intercepted 
messages,  he  does  not  crack  them  in  sequence,  regardless  of  computational 
effort.  Instead,  he  determines  a threshold  of  effort  beyond  which  individual 
decoding  attempts  are  abandoned.  The  cryptanalysis  is  likely  to  succeed 
if  a sufficiently  hign  percentage  of  the  possible  messages  is  decodable 
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within  this  time  threshold.  Note  that  the  actual  complexity  of  the  unsolved 
cases  (which  can  have  a strong  influence  on  the  average-case  complexity) 
does  not  matter  in  this  model. 

The  new  complexity  measure,  which  we  call  median  complexity,  is 
essentially  a worst  case  measure  on  the  easier  half  of  the  instances.  More 
formally,  we  define: 

Definition:  A problem  P(x)  (where  P is  a predicate  or  a function  on 
instances  x)  has  a median  complexity  C(n)  if  there  exists  an  algorithrri 
A for  it  such  that  for  each  size  n,  A solves  at  least  half  the  instances 
X whose  size  is  n within  time  C(n). 

An  obvious  generalization  of  this  definition  is  to  replace  the  "half" 
by  a fraction  parameter  0 £a  £ 1;  the  resultant  percentile  complexity 
C(n,a)  gives  for  each  n and  a the  complexity  of  the  easiest  a of  the 
instances  of  size  n. 

Example:  Consider  the  following  factorization  problem:  For  each  input  x 
(a  natural  number  in  binary  notation),  we  have  to  print  out  "PRIME"  if 
X is  a prime  number,  and  some  non-trivial  factor  if  x is  composite.  The 
median  complexity  C(n)  of  this  problem  is  0(1),  since  for  half  the 
numbers  of  each  size,  2 is  a non-trivial  factor.  The  algorithm  can  be 
extremely  slow  on  the  odd  inputs  (say,  using  exhaustive  search)  without 
affecting  this  median  complexity.  What  is  the  percentile  complexity 
of  this  factoring  problem? 

The  new  complexity  measure  enables  us  to  define  the  following  important 
property  of  cryptographic  systems: 


f 


i 


f 
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Definition:  A problem  is  uni  form  if  there  is  a polynomial  q which  bounds 

its  worst-case  complexity  to  q('^)C(n,aQ)  for  every  fraction  a and  C(n,a) 

^0  ° 

algorithm  that  solves  it. 

This  definition  states  that  for  each  fixed  fraction  aQ.the  worst  case 

^ I 

complexity  C(n,l)  is  not  much  bigger  than  the  complexity  of  the  easiest  a 
of  the  instances,  and  thus  a difficult  uniform  problem  is  not  likely  to 

have  sizeable  easy  subsets  of  instances.  An  example  of  a problem  with  a i 

I 

uniform  behavior  was  recently  discovered  by  Rabin  [7  J.  He  considered  the  [ 

(apparently  difficult)  problem  of  taking  square  roots  modulo  a composite  | 

number  m,  and  showed  how  to  transform  each  instance  of  this  problem  into  ! 

any  other  instance,  with  uniform  probability  distribution.  By  trying  0(— ) i 

“o 

random  transformations,  any  C(n,aQ)  algorithm  for  taking  the  square  roots 
of  a fraction  of  the  numbers  modulo  m,  can  be  made  a probabilistic  } 

0(^C(n,a  ))  algorithm  for  taking  the  square  roots  of  all  the  numbers  j 

modulo  m.  i 

Randomly  chosen  modular  knapsack  systems  with  many  more  generators 
than  bits  (see  Theorem  2)  seem  to  have  a similar  uniform  behavior,  although  ^ 

in  a less  rigorous  sense  of  the  word.  The  transformation  in  this  case  ■ 

consists  of  subtracting  a random  subset  of  the  first  half  of  the  generators  t 

from  the  target  value  b,  and  representing  the  new  target  value  b'  in  terms 

!" 

of  the  second  half  of  the  generators.  If  each  half  of  the  generators  is  | 

I 

an  onto  knapsack  system,  then  b can  be  transformed  to  any  other  target 
value  b'  (typically  with  a fairly  uniform  distribution),  and  any  such  b' 
has  a representation.  The  coefficients  of  the  generators  in  both  halves 
give  us  a legal  representation  of  the  original  target  value  b. 


-21- 


In  the  next  section  we  demonstrate  the  usefulness  of  the  new  complexity 
measure  by  showing  that  the  median  coi:.plexity  of  solving  modular  knapsack 
problems  is  inversely  proportional  to  the  density  of  their  associated 
systems,  and  thus  all  the  very-high-density  one-to-one  modular  knapsack 
systems  (which  we  were  unable  to  characterize  explicitly)  are  cryptographi- 
cally insecure.  Both  the  worst-case  and  the  average-case  complexity 
measures  seem  to  be  inadequate  ^'or  this  purpose. 

7.  Tradeoffs  between  the  density  and  security  of  modular  knapsack  systems. 

A simple  way  of  motivating  our  result  is  as  follows.  If  a complicated 
but  smoothly-behaving  function  f has  to  be  evaluated  at  many  points,  it 
makes  sense  to  precompute  a table  of  values  of  f at  a sufficiently  dense 
grid  of  points.  When  an  actual  argument  b is  given,  we  look  up  the  values 
of  f at  the  closest  grid  neighbors  of  b,  and  use  them  in  order  to  interpolate 
f(b).  If  the  function  has  some  isolated  discontinuities,  this  technique  can 
be  applied  only  to  those  arguments  b whose  grid  cell  does  not  contain  a 
discontinuity.  We  thus  get  a triple  tradeoff  between  the  number  of 

discontinuities,  the  grid  size,  and  the  fraction  of  the  arguments  b for  i 

which  f(b)  can  be  interpolated  from  the  table.  By  fixing  this  fraction  to  { 

one  half,  we  get  a relationship  between  the  number  of  discontinuities  and 
the  complexity  of  precomputing  the  table  (as  determined  by  the  grid  size).  | 

A similar  situation  exists  in  high-density  one-to-one  modular  knapsack 
systems.  Theorem  7 shows  that  the  relationship  between  target  values  and 
representations  in  these  systems  is  very  smooth,  with  potential  disconti- 
( nuities  only  at  the  unrepresentable  target  values  (whose  exact  locations 

( 


L 


i 


i 

f 

are  usually  unknown).  If  b and  b'  are  two  sufficiently  close  locations  in 
the  0-1 -?  c^  sequence  (which  we  introduced  after  Theorem  7),  we  expect 
their  values  to  be  equal  if  |b-b'|  is  even,  and  opposite  if  |b-b'|  is  odd. 

Consequently,  we  can  interpolate  the  value  of  c^.  at  b from  the  value  of  c^ 
at  its  closest  grid  neighbor  b'  whenever  the  two  locations  are  in  the  same 
continuity  interval  between  successive  question  marks.  If  these  question  j 

marks  are  few  and  far  between,  we  can  use  a small  number  of  grid  points  in 

i 

order  to  correctly  interpolate  the  value  of  c^  at  most  of  the  locations.  j 

We  can  now  describe  the  density/security  tradeoff  result  in  detail.  j 

Given  a one-to-one  modular  knapsack  system  a^,...,a^  (m)  in  which 
m » u = m-2'^,  we  would  like  to  find  a representation  for  a given  target 
value  b.  We  make  the  simplifying  assumption  that  (a^,m)  = 1 for  all  i, 

and  thus  each  generator  can  be  normalized  to  1.  (Generators  with  a small  | 

gcd  can  be  handled  by  similar  techniques,  while  generators  with  a large  gcd,  ' 

if  there  aren't  too  many  of  them,  can  be  handled  by  brute-force  methods 

once  the  coefficients  c^.  of  the  other  generators  are  determined.)  ' 

We  proceed  in  n stages.  At  the  stage,  we  change  the  equation  t 

.Z,  c^a.  = b (mod  m)  into  Z c.(aT^a.)  = aT^b  (mod  m)  in  which  the  i 

1=1  1 1 1=1  1 J 1 J 

-1  -1 

generator  a.  a.  is  1 ano  the  target  value  is  a.  b,  but  in  which  the  i 

J J J ' L 

t h * 

coefficients  c^  remain  unchanged.  Successive  multiples  of  the  generator 

become  successive  integers,  and  thus  the  coefficient  c.  in  the  representation  [ 

of  aT^b  is  just  the  aT^b-th  entry  in  the  appropriate  0-1-?  sequence. 

J J 

We  next  choose  a random  set  of  r representations,  and  enumerate 
their  corresponding  target  values  in  the  augmented  system  (the  exact  value 
of  r will  be  determined  later).  Since  these  representations  are  in  a 
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one-to-one  correspondence  with  the  representable  target  values,  we  get 
a uniformly  distributed  grid  of  r locations  along  the  0-1  parts  in  the 
0-1 -?  sequence,  whose  values  are  known.  The  desired  c.  value  is  then 

J 

interpolated  in  the  usual  way,  and  the  tentative  collection  of  coefficients 
c^,...,c^  calculated  in  the  n stages  is  eventually  verified  by  direct 
substitution. 

The  most  time-consuming  part  in  this  process  is  to  find  the  closest 
grid  neighbor  of  the  location  we  want  to  represent.  We  use  a variant  of 
Horowitz  and  ^ahni's  algorithm  [5].  We  divide  the  (modified)  generators 
into  two  halves,  and  prepare  for  each  half  a random  list  of  0(/r) 


representation/target  value  pairs.  If  x and  y are  target  values  in  the 
first  and  second  list,  respectively,  then  x + y (mod  m)  is  a target  value 
whose  representation  in  the  complete  system  is  the  concatenation  of  x's 
and  y's  representations  in  their  respective  half  systems.  Among  the  0(r) 
possible  sums  we  can  find  the  one  that  best  approximates  a given  value  z 
in  the  following  way.  We  first  sort  each  one  of  the  two  lists  into 
increasing  target  value  order,  using  a linear  time  bucket  sort.  Starting 


^min'^^max’  replace  x by  its 
smaller  than  z,  and  replace  y by  its 


ist-successor  whenever  the  sum  is 
ist-predecessor  whenever  the  sum  is 


bigger  than  z (always  recording  the  best  approximation  found  so  far).  We 


stop  when  we  hit  z or  when  one  of  the  two  lists  is  exhausted.  In  our 
modular  case  we  have  to  repeat  the  process  twice,  with  z = aT^b  and 

z = aT  b + m,  but  the  total  time  complexity  is  still  0(/r).  ) 

J * 

Our  algorithm  successfully  finds  the  representation  of  an  (original)  i ; 

target  value  b only  if  it  is  successful  in  all  its  n stages.  At  each  stage  j 


there  is  a certain  fraction  of  target  values  for  which  the  interpolation 
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gives  erroneous  results,  but  by  making  this  fraction  smaller  than  l/2n, 
we  can  guarantee  that  no  more  than  half  of  the  target  values  will  be 
incorrectly  processed  at  some  stage. 

What  remains  to  be  done  is  to  show  that  for  an  appropriately  chosen 
number  r of  grid  points,  each  stage  can  be  made  correct  for  all  but  a 
l/2n  fraction  of  the  target  values. 

Definition:  Given  a U-1-?  sequence,  the  radius  of  location  b in  it  is  the 
shortest  cyclic  distance  from  b to  a question  mark. 

Lemma  15:  For  every  0-1 -?  of  length  m with  u question  marks,  the  fraction 

of  the  locations  which  have  radiuses  smaller  than  is  at  most  J-. 

4n  u 2n 

Proof;  In  the  interval  of  radius  — around  each  question  mark  there 
4n  u 

can  be  at  most  locations,  and  thus  the  number  of  locations  which 
are  that  close  to  any  one  of  the  u question  marks  is  at  most  ^ni. 

Q.E.D. 

By  choosing  a random  grid  of,  say,  r=1000*n*u  locations  along  the 
0-1-?  sequence,  we  get  an  average  grid  separation  of  » ^nd  thus 

1 m 

practically  all  the  locations  whose  radiuses  are  bigger  than  will 

be  closer  to  a grid  point  than  to  a question  mark.  Although  some  grids 
are  better  and  some  grids  are  worse  in  this  respect,  the  average  grid 
quality  (which  is  what  we  are  interested  in  when  we  consider  probabilistic 
algorithms)  is  excellent  and  does  not  depend  on  the  knapsack  system  or  on 
the  target  value  involved. 

I 

i 


Using  this  r value,  we  get: 
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Theorem  16:  The  probabilistic  median  complexity  of  solving  instances  of 
a one-to-one  modular  knapsack  system  with  modulus  m,  n generators  and  u 
unrepresentable  target  values  is  at  most  0(n^'^^u^'^^) . 

Proof;  Each  one  of  the  n phases  takes  0(/I000*n*u)  time,  and  the  total  is 
3/2  1/2 

thus  0{n  ' u ' ).  For  every  knapsack  system  with  the  above  parameters, 
the  algorithm  succeeds  (with  a very  high  probability  that  does  not 
depend  on  the  system)  in  finding  the  representations  of  at  least  one  half 
of  the  possible  target  values.  Q.E.D. 

This  algorithm  is  considerably  faster  than  the  best  known  0(2'^^^)  i 

algorithm  [3]  whenever  the  knapsack  system  is  very-high-density  (m  2*^  » u),  I 

I 

and  it  indicates  that  knapsack  systems  in  which  one  can  both  encrypt  and  sign 

messages  may  be  dangerously  overloaded.  Although  the  result  does  not  ' 

directly  apply  to  medium-density  (m  2*^  u)  knapsack  systems,  it  seems  ; 

best  to  use  different  types  of  knapsack  systems  for  these  two  tasks,  such 

as  a low-density  (m  ^ u » 2*^)  Merkle-Hellman  system  [6  ] for  encryption 

and  an  onto  but  non  one-to-One  system  (Shamir  [9])  for  signature  generation. 
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